AccessCase::generateImpl() should exclude the result register when restoring register...
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 7 Nov 2017 19:33:22 +0000 (19:33 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 7 Nov 2017 19:33:22 +0000 (19:33 +0000)
commit91120c595a72ae30e2a85d5af1590e28bf5a126c
treeb2a03f342c3a6d9954c2190bebfc45e6688c362e
parent7385a301977a5a7a55f77689958861a368fe8a87
AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
https://bugs.webkit.org/show_bug.cgi?id=179355
<rdar://problem/35263053>

Reviewed by Saam Barati.

JSTests:

* stress/regress-179355.js: Added.

Source/JavaScriptCore:

In the Transition case in AccessCase::generateImpl(), we were restoring registers
using restoreLiveRegistersFromStackForCall() without excluding the scratchGPR
where we previously stashed the reallocated butterfly.  If the generated code is
under heavy register pressure, scratchGPR could have been from the set of preserved
registers, and hence, would be restored by restoreLiveRegistersFromStackForCall().
As a result, the restoration would trash the butterfly result we stored there.
This patch fixes the issue by excluding the scratchGPR in the restoration.

* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@224539 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/regress-179355.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/AccessCase.cpp